httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chirouze Olivier" <olivier.chiro...@volvo.com>
Subject RE: [users@httpd] Request for Input: ApacheCon SSL Training
Date Mon, 19 Mar 2007 09:30:00 GMT
Hi,

I'm sorry I always insist on wildcard certificates being not officialy
supported by Apache, but I think that's something to know about. You can
save a bunch of dollars a year with this trick ;-)

Here's what I recently wrote for a doc, feel free to correct me if I'm
wrong:

------------------------------------------------------------------------
------------------------------------
Name based virtual hosting is not officially compatible with HTTPS.

The reason is:
1)	the request received by Apache is encrypted: only the source and
destination IP addresses can be read by Apache (it is in the TCP header,
not the encrypted HTTP request)
2)	for this reason, when using name based virtual host, no virtual
host can be associated with the HTTPS request
3)	by default, the first SSLCertificateFile directive found is
used: the first SSL certificate found is used

However, if a single "wildcard" certificate is used by all virtual hosts
on the same IP, then:
4)	the first certificate found is correct
5)	the request can be decrypted
6)	the server name can now be read and the right virtual host is
found
7)	the rest of the process is similar to normal HTTP

A few consequences:
-	it only works because all the virtual hosts on the same IP use
the same SSL certificate
-	because they are virtual hosts with different names (hence the
"name based"), the certificate can only be a "wildcard" certificate...
-	when using this "unsupported feature" it is very important to
make it clear that the virtual hosts use the same certificate => for
example, move the "SSLCertificateFile" directive in a file and include
it in all your virtual hosts. Then a change in this file will clearly
affect all your virtual hosts.

Very logically, wildcard certificates aren't officially supported by
Apache either.

Apache, when starting up, compares the server name of the SSL
certificate with the configuration (virtual host) server name.
Thus, when using a wildcard certificate, you will get such a warning at
startup:

[Fri Jul 21 13:40:10 2006] [warn] RSA server certificate CommonName (CN)
`*.myserver.com' does NOT match server name!?

See:
-
http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbox/%3C20051
214183548.6B3CC184@ajax.apache.org%3E
-	http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html

Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts

------------------------------------------------------------------------
------------------------------------

I'd be proud if I can help for ApacheCon ;-)

Olivier

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
 

> -----Original Message-----
> From: Vincent Bray [mailto:noodlet@gmail.com] 
> Sent: 19 March 2007 10:09
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Request for Input: ApacheCon SSL Training
> 
> On 19/03/07, Sander Temme <sctemme@apache.org> wrote:
> > Dear list,
> >
> > As I prepare my training session title "Practical SSL Implementation
> > with Apache" for the upcoming ApacheCon EU conference, I would like
> > to take a moment and request your feedback.
> 
> #apache on freenode commonly sees quesions from people confused by the
> various certificate formats and by the openssl command (hardly
> surprising considering its man page). Perhaps some coverage of the
> difference between pem/der/crt/whatever, and maybe ways to
> validate/convert those formats?
> 
> I can't attend the conference but I hope it turns out well, 
> good luck :)
> 
> -- 
> noodl
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message